How Lax Oversight Of Electronic Health Records Puts Patients At Risk

Plans to ensure patient safety as the nation transitioned to electronic health records have yet to come to fruition a decade later, according to a new report. From an investigation: In fall 2009, several dozen of the best minds in health information technology huddled at a hotel outside Washington, D.C., to discuss potential dangers of an Obama White House plan to spend billions of tax dollars computerizing medical records. The health data geeks trusted that transitioning from paper to electronic records would cut down on medical errors, help identify new cures for disease and give patients an easy way to track their health care histories. But after two days of discussions, the group warned that few safeguards existed to protect the public from possible consequences of rolling out the new technology so quickly. Because this software tracks the medicines people take and their vital signs, even a tiny error or omission, or a doctor's inability to access the file quickly, can be a matter of life or death. The experts at that September 2009 meeting, mainly members of the American Medical Informatics Association, or AMIA, agreed that safety should be a top priority as federal officials poured more than $30 billion into subsidies to wire up medical offices and hospitals nationwide. The group envisioned creating a national databank to track reports of deaths, injuries and near misses linked to issues with the new technology. It never happened.

Instead, plans for putting patient safety first -- and for building a comprehensive injury reporting and reviewing system -- have stalled for nearly a decade, because manufacturers of electronic health records (EHRs), health care providers, federal health care policy wonks, academics and Congress have either blocked the effort or fought over how to do it properly, an ongoing investigation by Fortune and Kaiser Health News shows. Over the past 10 years, the parties have squabbled over how best to collect injury data, over who has the power to require it, over who should pay for it, and over whether to make public damning findings and the names of those responsible for safety problems. In 2015, members of Congress derailed a long-planned EHR safety center, first by challenging the government's authority to create it and later by declining to fund it. A year later, Congress stripped the Food and Drug Administration of its power to regulate the industry or even to track malfunctions and injuries.

Free credit monitoring won't fix this

[ErichTheRed]

Companies don't care about privacy or data security because a breach is a non-event. They just file a cyber-insurance claim, get their payout, and hand out free credit monitoring. Maybe there's a class-action lawsuit and they'll have to pay a few million dollars, meaning that every user affected will get 11 cents at some point in the future. The cost of doing this is less than hiring competent IT and development staff, and no one ever gets criminally punished. I have never worked for a company that has cared one bit about their data security...banks don't care, retailers don't care, software companies don't care...and they won't until something big changes.

Health records are definitely an issue in the world for for-profit insurance. Individuals aren't buying much life insurance anymore since it's no longer about keeping the widowed housewife from starving when the breadwinner dies. But companies do buy it for their employees and I'm sure they'd love to have this information accidentally leaked from one of the big EHR companies (Epic, McKesson, Allscripts, etc.) Same goes for health insurers...having access to a patient's entire medical history including visit patterns, prescriptions and diagnoses would be a great way to "optimize pricing" of these products, putting them out of the reach of people with chronic illnesses.

It's kind of in the realm with all these DNA sequencing companies. You can't free-credit-monitor your way around these joker tech companies having an 'oops' moment and dumping their entire database onto a public S3 bucket or Azure Storage blob. Once this information is out, it's out.

That's not the problem

[tomhath]

Companies don't care about privacy or data security...blah...blah...blah...

TFA isn't about privacy or security, it's about patient safety. Ensuring the data is complete and correct is a very difficult problem, and one that HIPAA doesn't address at all. If anything, HIPAA makes it worse because it places tight restrictions on who can see the data - meaning fewer people have the whole picture and increasing the likelihood of an error slipping through unnoticed.

It's easy to sit there at your keyboard and demand perfection, but in the end healthcare is provided by busy people working

More money to be made without it

[damn_registrars]

Just like so many other things, you need only to follow the dollar. The insurance industry is one of the largest in the country, and one of the most powerful in Washington DC as well. If they keep the regulations lax it is much easier for them to mine the data to come up with new criteria to use to justify dropping patients, stopping treatments, etc. They don't want to be hindered in their quest for profit, nor do their shareholders, and US congress certainly doesn't want them to be either.

Re:More money to be made without it

[techdolphin]

It is about the money, but the issues expressed in the parent comment may be off the mark. The current EHRs are designed for billing. There were not design for the benefit of patients and/or doctors. The outputs often hide necessary clinical information. A doctor told me that printouts of EHR information about a patient contains pages of useless information and that she highlights the 2-3 paragraphs of useful information. The doctor said she spends hours filling out useless information and checking boxes th

Its a mess

[Anonymous Coward]

Being in a rural area my wife had to deal with four places to get her cancer treatments done. Each one of them had to build a medical history from scratch, and at one they asked for the history again as they upgraded to a new system and didn't want to transfer the records from the old one (I suggested they get the well documented history from that 2inch thick file in their hands as they were talking to us.). When having some diagnosis or procedure done at one we it took effort to get the documentation to

Other issues

[JaredOfEuropa]

Our country also moved to a centralized patient dossier system, but interestingly the discussion wasn't so much about incorrect data or a doctor's inability to access the records quickly enough. However it is to be implemented, it was seen as a great improvement over the current situation, with records scattered over a multitude of systems, at the GP, the hospitals, insurers, etc.

There were some worries about the security of the data. But most concerns were about privacy. Who gets access to the data, and why? At first they said: only medical professionals. Then: maybe researchers too. Insurers? No way... welllllllll..... unless it's for preventing fraud. Or lowering health care costs. And of course they refused to put in a simple audit trail that would allow every person to see when their data was pulled, by whom, and why.

Re:

[timeOday]

Yes, the whole, "let's not keep any organized records because they might not be perfect!" argument seems pretty silly, when the entire 'system' we (the US) has now is a trainwreck of negative drug interactions and redundant diagnostic tests because avoiding those things is nobody's job.

Re:

[alvinrod]

I think we'd all be better served by dealing with the negative drug interaction problem by trying to get people away from the pharmaceutical trough rather than accepting it as a given and shaping society around it. I think we've gone a bit overboard with the whole "pill for every woe" that people have taken to mean that they can continue on with their existing lifestyle that in many cases lead to the problems in the first place. Modern medicine really doesn't get the credit it deserves.

So let's not stac

Re:

[timeOday]

I also like the audit log part. I think a lot of leakage could be prevented by rules restricting copying of digital data and requiring providers to go back to some approved source, combined with some modicum of DRM. But the problem is even protecting the central repository of data seems to be beyond us, for example the OPM hack.

Re:

[cayenne8]

Our country also moved to a centralized patient dossier system

May I ask what country you are from and talking about?

While I understand the want and potential for doing such a system, I go along with the congress critters from the article that voted it down, because it is NOT the responsibility, nor is it amongst the limited enumerated powers and responsibilities of the US Federal Govt.

I don't want the govt involved with my medical records, nor my medical tx in any shape, form or fashion.

I don't believe

Re:

[JaredOfEuropa]

This was in the Netherlands.
Many people here feel that in some cases the government is more efficient than the market, or provides better outcomes. Government control wasn't much of a consideration here, even amongst those who opposed the system. And most people here would trust the government with certain data, provided that there are strict limits on the use of that data, and that those limits are enforced. Sadly that is rarely the case.

Re:

[libertarianbro]

Just to be argumentative...you said and I quote "I don't want the govt involved with my medical records, nor my medical tx in any shape, form or fashion." The truth is that any data sent over an ISP is already known by the government. This has been the case since the telegraph. They may not be actively listening, but at any time I could review the logs and see the traffic showing even your encrypted transactions that exceed HIPAA muster. I worked in this industry for years, the average place cannot even

EHRs are overrated

[Anonymous Coward]

The information stored in EHRs is overrated. Today your facebook, ig and other social media accounts can give anybody plenty of information about your health. There's enough AI that can scour your digital footprint to tell me if you're HIV positive or not or suffer from diabetes. If you constantly check in at Krispy Kreme every morning your EHR data is not going to tell me anything more than I already know about you being a potential diabetic.

The key thing that makes EHR data not so critical anymore is the

EHR's make the medical system lazy

[Raymond Berry]

The proof is obvious, and it's not far away in Canada. In this country, where doctors are more or less employees of the provincial governments, EHR's are often used to diagnose patients, treat them, and get them out of the office as fast as possible. This has led to a number of faults, which include misdiagnosis of chronic conditions, resulting in becoming a roadblock to treating disease that gets worse with time (like cancer). Instead of looking for the true cause of a disorder, leaning too hard on the

EHR were poorly implemented due to regulation

[guruevi]

About a decade ago, EHR was crammed down the throats of every institution, large and small, most of them simply weren't ready to do it. Even in a relatively large office with multiple doctors, you could often get a pair of administrators handle any paper form and requests in and out. So they had this huge requirement to implement a system as fast as possible. At the same time, the demand was that EHR make Medicare cheaper without any data supporting EHR making anything cheaper. Now, you not only have to have more administrators because the EHR is slower than filing paper, but you also have to have at least a pair of IT persons on call and in some cases you even have to have someone that's able to generate reports out of all this for regulation compliance.

The only people that got rich of it were Epic, Athena, Philips and a few others, that through glad-handing and used-car-sales tactics, made every doctor and hospital sign up, then mid-implementation hiked the prices and cut support. Moreover, Epic etc promised that you could talk to other EHR's, the government through pressure from companies like Epic rescinded that requirement for interoperability and now if you want to integrate multiple systems, you have to pay more for middleware.

In the end, the consumer paid for all it through increased insurance rates because now they had to cover more and more of the Medicare/Medicaid cuts. Then came the government mandated cuts to private insurance and the healthcare systems started failing, whereas yearly 2-3 healthcare systems would fail per year, for the last decade we've had 10+ hospital systems fail per year. Healthcare got less accessible, fewer people have insurance and costs tripled.

Meaningful Use Mess.

[jellomizer]

Meaningful Use (MU) guidelines that were requirements for the EHR were poorly created, Strictly Enforced, and for the most part created to fail. Because providers with MU complaint EHR would get a big tax benefit, often offsetting the cost of the EHR. But to not pay for them they made MU difficult to implement, not good simple(ish) steps to make things really better.

The CCD/CCA, HL7, and EDI are standard formats for communicating with other EHR systems. The CCD/CCA are often not even on the development roa

Re:

[Kjella]

Like everything else related to healthcare the US took a good thing and made it pretty horrible. Here in Norway EHR has been the default for a good while and I don't know anyone who'd like to go back to paper. In fact, the chief complaint is that different systems don't talk well enough to each other, we want more standardized and structured data. The complexity of modern health care is constantly growing with interactions between generalists and specialists, transitions between levels of care and a host of

Re:

[Sad Loser]

the EHR provider lock-in with big companies e.g. Cerner and Epic is insidious and prevents innovation and change.
I don't have a problem with a company that has a good product and wants to charge a premium price, but the quid pro quo is that the person who pays the money should be able to determine what interfaces to the system (providing it satisfies agreed national / international standards).

At the moment there is major anticompetitive behaviour by most of the major EHR vendors and people are starting to r

Re:

[markdavis]

>"the EHR provider lock-in with big companies e.g. Cerner and Epic is insidious and prevents innovation and change."

+1. In this region of the US, we had ENORMOUS pressure to use Epic (even though it wouldn't even work in our facility because they don't support our type of business, so we implemented a different EMR). We have a near-monopoly health system here who chose EPIC and whenever we explored any type of interfacing or access, the standard response was either to be ignored or some insane response

Re:

[drinkypoo]

Now, you not only have to have more administrators because the EHR is slower than filing paper,

How does that work?

but you also have to have at least a pair of IT persons on call

Why a pair? Does one type while the other one moves the mouse?

and in some cases you even have to have someone that's able to generate reports out of all this for regulation compliance.

Having done database reporting for a living, I am skeptical of this claim. You write a report once, and then you just plug in different dates (etc.) when you run it again.

Re:

[guruevi]

As others have pointed out, the EHR requires a lot more information to be filled out, often repetitive and ad nauseam before it LETS you continue. In the past, you just drew a big line through the irrelevant sections, now you have to actively answer NO to all the questions.

You need a pair in a small-medium office because the computers not working brings the business to a grinding halt. Say you have ~30 workstations, before, you could just call the contractor on a next-business day basis. Now you have to hav

Why is Los Angeles International Airport involved?

[jfdavis668]

LAX has trouble keeping track of airplanes, why would they have over-site of health records? No wonder there are problems.

How is this different from now?

[superdave80]

Because this software tracks the medicines people take and their vital signs, even a tiny error or omission, or a doctor's inability to access the file quickly, can be a matter of life or death.

Isn't this the exact same issue with paper records? Only paper records rely on someone correctly writing something down, filing it in the proper place for someone else to find it, and hoping they can read whatever handwriting was used by the doctor/nurse at the time? E-records do have their issues, but this ain't one of them...

The medical establishment hates EHRs

[Applehu Akbar]

This is primary evidence that we need to quickly agree on a standard for digitizing medical records, and then begin the long but vital process of setting up interfaces tailored for various specialties. The gateway primary needs one specific interface, the anesthesiologist another, the nephrologist still another.

Right now the only medical specialty that has an optimized interface into electronic records wherever they are implemented is billing.

Re:

[tomhath]

This is primary evidence that we need to quickly agree on a standard for digitizing medical records...

HL7 and the World Health Organization have been trying to crack that nut for decades. Much easier said than done.

Data breaches are irrelevant

[groobly]

Data breaches are a trivial problem compared to the fact that EHRs are full of garbage, and lacking in real information. A data breach at worst means that someone can try to sell you something, or maybe refuse to offer you insurance. But bad data in your health record means that someone might kill you (accidentally, of course).

I keep copies of all my health records, and there are tons of them. THEY ALL ARE FULL OF ERRORS. Some of them, serious errors. About a 90% of my encounters have errors in the